IT Security Policy
Effective Date: | April 21, 2020 |
Downloadable Version: | IT Security Policy |
This document is available in alternate format on request. |
Purpose/Rationale:
This IT Security Policy (“Policy”) outlines, at a high level, the expectations for maintaining the security of Humber’s information systems, whether owned, leased or managed by a 3rd party (Hosted or cloud) and is guided by institutional security requirements specific to Humber’s current operating environment and projected threat landscape.
This policy will strive to ensure the confidentiality, integrity and availability of the Information and data assets (hereafter referred to as Information) that support the business processes while taking into account the following desired outcomes:
- Minimize business information risks
- Preserve the trust of our students, staff and community,
- Ensure our services are securely delivered and available,
- Meet our legal and regulatory obligations, and
- Ensure emerging technologies are delivered in a secure fashion
Objectives and Principles:
Objectives
Humber’s IT Security objective is to establish the appropriate level of controls to manage security risks while enabling the Academic delivery and business operations. Humber achieves this objective through the design, deployment and operation of the IT Security Program in alignment with the following:
- Humber’s risk thresholds
- Industry standards and best practices
- Regulatory and contractual requirements
Principles
- Security Governance — Personal accountability and responsibility for IT Security are incorporated in Roles and Responsibilities that ensure that every individual applies the applicable information security policies, principles, procedures and practices in their daily activities.
- Security Control Measures — Information security policies, standards, guidelines and procedures are developed to communicate security requirements and guide the selection and implementation of security control measures.
- Continuous Awareness and Education — Information security education, training and awareness programs ensure that users are aware of security risks and concerns and are equipped to apply organizational security policies and principles.
- Protecting Security of Assets — Information assets are classified according to their criticality to the organization enabling an appropriate level of protection. Information assets are to be used for the intended business purpose only. (See Data Governance Policy)
- Legislative and Regulatory Compliance — Legal, regulatory and contractual requirements are identified, documented and followed.
- Measure and Monitor (Continuous improvement) — Continual improvement requires measuring and monitoring the effectiveness and efficiency of IT Security program and making sure it is in accordance with the IT Security Policy.
Scope/Audience:
The scope of IT Security includes all information and technology assets belonging to or managed by Humber located within our facilities, service provider facilities (e.g. Cloud) and the clients accessing these assets. Clients include but are not limited to:
- All employees (Faculty and Staff)
- All students and learners
- All suppliers, contractors and guests that use the Humber network
- All guests (Any external person or entity; this includes members of the public, retirees, event attendees, prospective students, alumni, advisory groups, varsity teams, etc.).
Definitions:
Information: Timely and accurate data organized and presented in a way that gives it meaning/relevance leading to increased understanding or reduced uncertainty.
Data: Information in a raw or unorganized form (such as letters, numbers, symbols, or graphics) that refer to, or represent, conditions, ideas, or objects.
Employee: Any individual (not an independent business) providing value to Humber on a regular or semi-regular basis in exchange for compensation.
Humber: The Humber College Institute of Technology and Advanced Learning, and the University of Guelph-Humber; a post-secondary, educational institution in Ontario with multiple community service programs.
Student: Any person actively enrolled in a Humber course including individuals in fully online courses and people using a Humber community service.
Learner: Any person actively enrolled in Real Estate Education Program (REEP).
Supplier: An independent business providing value to Humber (also known as a "vendor", "contractor", "strategic partner", and/or "consultant"). Examples include a cloud service provider, etc.
Client: Any individual or entity (includes students, employees, suppliers, and guests) using one or more technical services at Humber (also known as a "Data User").
IT Security Standards: Details and specifications that define the quality of the IT Security controls derived from the Information Technology Security Control Framework and that can be used as a measure.
IT Security Program: The agreed projects to be undertaken to remediate the IT Security gaps in standards and processes and to attain the desired maturity level.
Roles and Responsibilities:
Humber will act appropriately to preserve the confidentiality, integrity, and availability of information, support information security within the organization, and to maintain a secure information technology (IT) environment. The College provides a safe and secure environment for the collection, storage, access and retrieval of information. Members of the College community are required to handle Humber College information assets responsibly within their respective roles and in accordance with this Policy.
Chief Information Officer
The Chief Information Officer (“CIO”) oversees and is accountable for the development of Humber’s Information Technology (“IT”) Security Program. Responsibilities of the CIO include the following:
- Provide leadership and oversight on strategy, policy, and standards development
- Socialization of IT Security Program and related activities
Directory of IT Security
The Directory of IT Security is responsible for the planning, development and implementation of the IT Security Program. Responsibilities of the Director of IT Security include the following:
- Development and implementation of the IT Security Program including associated policy and standards.
- Development of IT Security Roadmap to achieve long range compliance goals.
- Track and measure the effectiveness of security controls, policy and standards.
Technology and Information Management Steering Committee (TIMS)
The Technology and Information Management Steering Committee (“TIMS”) is a forum for consideration of Institution-wide computing strategy and initiatives. Specific oversight responsibilities related to the IT Security Policy include the following:
- Reviewing policy, standards and initiatives in support of the IT Security Policy.
- Identify the business impact of proposed strategy.
- Agreement on critical IT Services and information assets
- IT Security governance and deciding on risk appetite and ownership on IT Security
Executive Sponsors
Executive Sponsors are senior-level employees who have planning and policy responsibility and accountability for major administrative data systems. Executive Sponsors have overall accountability for the security of IT Systems in which they own, however they may delegate activities to other employees such as Data Stewards or Data Administrators, and both must act in response to defined requirements. Responsibility of Executive Sponsors related to the IT Security Policy include the following:
- Accountable for ensuring that systems are assessed for security requirements including those flowing from legislative and contractual obligations.
- Accountable for ensuring that systems are designed, configured, implemented, operated, maintained, upgraded and decommissioned in accordance with Humber’s security standards.
- Accountable for ensuring that College systems under their purview have an appropriately assigned Data Stewards and Data Administrator.
Data Stewards
Data Stewards are appointed by Executive Sponsors to implement data governance, privacy and security management policies. Responsibilities of Data Stewards include the following:
- Authorize the use of systems within their functional areas and monitor this use to verify appropriate data access.
- Support access by providing appropriate documentation and training to support College system Clients.
- Responsible for safeguarding system from unauthorized access through established procedures and educational programs.
Data Administrators
Data Administrators are functional or technical users that have operational responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of associated computer hardware and software platforms. Some data administrators may work in an IT department outside of a functional unit but have responsibilities for implement the decisions of the data stewards. Responsibilities of Data Administrators include the following:
- Responsible for ensuring that systems are assessed for security requirements including those flowing from legislative and contractual obligations.
- Responsible for ensuring that systems are designed, configured, implemented, operated, maintained, upgraded and decommissioned in accordance with Humber’s security standards.
- Responsible for the classification of information under their purview in accordance with institutional data classification standards, accuracy, and access/use of information in their custody.
- Responsible for implementing the technical features of the assets under their administration in accordance with policy, guidelines, and other requirements as deemed necessary by Data Stewards.
Data Users
Data Users are individuals who make use of information while performing assigned duties or fulfilling authorized activities within the college. They are full time, permanent employees (e.g., faculty, administrators, and support staff), other employees such as contract, consultants, agents, students, volunteers and guests. Data Users are responsible for:
- Taking appropriate measures to prevent loss, damage, abuse, or unauthorized access to information assets under their control.
- Respecting the classification of information as established by the Data Stewards and Executive Sponsors.
- Complying with all the policy requirements defined in the security, privacy and data governance policies and supporting procedures, rules and guidelines.
- Responsible for technology asset(s) assigned to them. They must be able to determine the function and location of technology assets under their custodianship and must ensure that assets transferred from their custodianship are clearly assigned to the next custodian.
Enforcement:
Suspected violations of the IT Security Policy and its associated standards may be reported to the CIO.
- Pending an investigation, Humber reserves the right to immediately suspend a Client's access to any and all technical services.
- Suppliers and guests who violate the IT Security Policy and its associated standards may have their Humber contracts terminated and/or be refused all future entry to Humber campuses.
- Employees and students who violate the IT Security Policy and its associated standards may be subject to disciplinary action up to and including termination of employment or expulsion.
- Non-compliance with the Policy may result in the termination of access to Humber’s Information systems and disciplinary action in the case of malicious intent.
Compliance:
- The Information Security Team may conduct IT Security assessments, audits, and other reviews to assess compliance with this Policy and the Information Technology Security Standards.
- The Information Security Team may also engage external auditing and/or professional services to conduct tests that measure compliance or identify areas of risk, in accordance with these policies and standards.
- Humber’s review of the IT Security Policy will be performed annually or when significant changes occur.
Information Classification:
Humber’s information systems must be protected and consistent with The Freedom of Information and Protection of Privacy Act (FIPPA) and other legislation that may apply. Please refer to the Data Governance Policy <link> and Access and Privacy Policy <link> for information on Information Protection and Classification. (Appendix C).
Policy Exceptions:
Exceptions to this policy and IT Security Standards must be submitted to and approved by the CIO or designate (see Appendix B). Questions about this Policy can be directed to the IT Security Manager.
Appendices:
Appendix A: RACI Matrix: Roles and Responsibilities
Appendix B: Exception Request Form
Appendix C: Classification of Institutional Data
References:
Freedom of Information and Protection of Privacy Act (Ontario)
Personal Health Information Protection Act (Ontario)